Secure resource name resolution

ABSTRACT

Techniques for securing name resolution technologies and for ensuring that name resolution technologies can function in modern networks that have a plurality of overlay networks accessible via a single network interface. In accordance with some of the principles described herein, a set of resolution parameters may be implemented by a user, such as an end user or an administrator, to be used during a name resolution process for securing the process and/or for conducting the process in an overlay network. In some implementations, the set of resolution parameters may be maintained as a table of rules, and used to govern name resolution processes. For example, resolution parameters may be created that govern a DNSSEC session, or that govern how to communicate with networks implemented with Microsoft&#39;s Direct Access overlay technologies, or that govern communications using any other networking technology.

BACKGROUND

This invention relates to name resolution technologies. In computercommunication networks, several different techniques may be used foridentifying resources accessible via the network. These resources mayinclude hosts attached to the network, such as client and servercomputing devices, as well as networking resources such as routers,gateways, firewalls, and others. In one technique, resources may beidentified by one or more identifying numbers, such as a Medium AccessControl (MAC) address or Internet Protocol (IP) address. It has beenrecognized, however, that while these addresses are useful forcomputer-to-computer communication, users often find it difficult toremember such identifying numbers and that this difficulty may deterusers from accessing network resources. Resources may also, therefore,be additionally or alternatively identified by textual identifiers thatare more easily remembered by users. Technologies which implementtextual identifiers for identifying resources include NetBIOS, LocalLink Multicast Name Resolution (LLMNR), and the Domain Name System(DNS).

Technologies that offer such textual identifiers may also offertranslation services to match a textual identifier, which is easy forthe user to remember, to a numeric identifier, which is easier for thecomputing device to process (or vice versa). In DNS, for example, when auser inputs to a computing device a textual identifier (a “domain name”in DNS) to initiate communication with a resource identified by thatdomain name, a DNS client on the computing device will query a DNSserver to “resolve” the domain name into an IP address. The DNS server,upon receiving a query, will find an IP address corresponding to adomain name, either through information available to it locally or byquerying other DNS servers, and return the IP address to the DNS client.The computing device can then initiate communication with the resourceusing the IP address.

It has been appreciated that some such name resolution technologiescould be abused. In DNS, for example, an attacker may be able tomisdirect a computing device to the attacker's own resource (e.g., theattacker's server) by responding to a DNS query with the IP address ofthe attacker's resource before the DNS server responds with thelegitimate IP address. The computing device may then be misdirected andwill connect to the attacker's resource rather than the legitimateresource. Then, while connected to the attacker's resource, thecomputing device may disclose data to the attacker or receive bogus dataor malware from the attacker.

Some security technologies have been implemented to reduce thelikelihood of this scenario by, for example, including randomizedidentifiers in each of the DNS queries and requiring that they beincluded in the response to the query, which will deter the attackerfrom responding with the hoax address unless the attacker is able toguess or detect the randomized identifier of the query. One securitytechnology that has been proposed to solve these security concerns isthe Domain Name System Security Extensions (DNSSEC) protocol,implemented with DNS. DNSSEC provides for digital signing of DNS resultsby certifying authorities (CAs) such that the results can be verified asaccurate. Additionally, using DNS or DNSSEC with the Internet ProtocolSecurity (IPsec) protocol has been proposed, to allow for encryptionand/or authentication of the communications between a DNS client and aDNS server.

SUMMARY

The applicants have recognized and appreciated that the security ofconventional name resolution technologies, including DNS, could beimproved. Further, conventional name resolution techniques are notdesigned to operate in a manner to connect to several networks via asingle network interface and a single set of network hardware, and thusthe growth of overlay networks is deterred.

Described herein are principles for securing name resolutiontechnologies and for ensuring that name resolution technologies canfunction in modern networks. Some of the approaches described arecompatible with a network configuration having an overlay networkaccessible via the same interface as an underlying network. Inaccordance with some of the principles described herein, a set ofresolution parameters may be implemented by a user, such as an end useror an administrator, to be used during a name resolution process forsecuring the process and/or for conducting the process in an overlaynetwork. In some implementations, the set of resolution parameters maybe maintained as a table of rules, and used to govern name resolutionprocesses. For example, resolution parameters may be created to govern aDNSSEC session, or to govern how to communicate with networksimplemented with Microsoft's Direct Access overlay technologies, or togovern communications using any other networking technology.

In some embodiments, there is provided a method comprising accepting asinput a first identifier for a network resource, consulting a collectionof sets of resolution parameters to determine a set of applicableresolution parameters that apply to the first identifier, and obtaininga second identifier. The second identifier may be obtained by conductinga name resolution process to determine the second identifier for thenetwork resource based on the first identifier. The name resolutionprocess is governed by the set of applicable resolution parameters.

In other embodiments, there is provided at least one computer-readablestorage medium on which is encoded computer-executable instructionsthat, when executed, cause a computer to perform a method. The methodcomprises accepting as input from an application program a domain namefor a resource accessible via a network, determining a set of applicableresolution parameters from a collection of sets of resolutionparameters, and establishing a connection to a Domain Name Service (DNS)server on the network according to the set of applicable resolutionparameters. The DNS server may be identified by the set of applicableresolution parameters. The method further comprises communicating a DNSquery to the DNS server according to the set of applicable resolutionparameters, receiving from the DNS server a response comprising anumeric identifier for the resource, and providing the numericidentifier to the application program.

In yet further embodiments, there is provided an apparatus comprising atleast one processor and at least one tangible computer-readable storagemedium on which is encoded a data structure comprising informationrelating to a set of resolution parameters. The data structure is storedin a manner usable by a name resolution software component to govern aname resolution process. The data structure comprises a first locationin which information is to be recorded defining a set of one or moreidentifiers for network resources to which the resolution parametersapply, a second location in which information is to be recorded defininga type of security to be implemented on a communication channel overwhich the name resolution process is to exchange information, a thirdlocation in which information is to be recorded defining at least onetrusted certifying authority, and a fourth location in which informationis to be recorded defining at least one network resource with which thecommunication channel is to be established. The at least one tangiblecomputer-readable storage medium comprises a plurality of instances ofthe data structure, each instance of the data structure being associatedwith a particular set of resolution parameter. The at least oneprocessor is adapted to execute the name resolution software component,and the name resolution software component is adapted to perform thename resolution process in accordance with at least one set ofapplicable resolution parameters. The name resolution software componentreads at least some of the plurality of data structure instances encodedon the at least one tangible computer-readable storage medium todetermine one or more sets of applicable resolution parameters.

The foregoing is a non-limiting summary of the invention, which isdefined by the attached claims.

BRIEF DESCRIPTION OF DRAWINGS

The accompanying drawings are not intended to be drawn to scale. In thedrawings, each identical or nearly identical component that isillustrated in various figures is represented by a like numeral. Forpurposes of clarity, not every component may be labeled in everydrawing. In the drawings:

FIG. 1 illustrates an exemplary computer system in which techniquesoperating according to some of the principles described herein may act;

FIGS. 2A and 2B illustrate tables of exemplary resolution parametersthat may be implemented in accordance with some of the principlesdescribed herein;

FIG. 3 is a flowchart of an exemplary process for performing a nameresolution that may be implemented in accordance with some of theprinciples described herein;

FIG. 4 is a flowchart of an exemplary process for identifying a set ofapplicable resolution parameters that may be implemented in accordancewith some of the principles described herein;

FIG. 5 is a flowchart of an exemplary process for resolving a textualidentifier into a numeric identifier that may be implemented inaccordance with some of the principles described herein;

FIG. 6 is a flowchart of an exemplary process for determining whether anidentifier stored in a cache may be returned as a result of a nameresolution process that may be implemented in accordance with some ofthe principles described herein;

FIG. 7 is a flowchart of an exemplary process for establishing a set ofresolution parameters that may be implemented in accordance with some ofthe principles described herein;

FIG. 8 illustrates an exemplary user interface with which resolutionparameters may be input;

FIG. 9 is a block diagram of components of an exemplary computing devicethat may implement techniques operating according to some of theprinciples described herein; and

FIG. 10 is a diagram of an exemplary manner of interoperability ofmodules that may be implemented in accordance with one or more of thetechniques operating according to principles described herein.

DETAILED DESCRIPTION

The applicants have recognized and appreciated that the security ofconventional name resolution technologies, including DNS, could beimproved. Further, conventional name resolution techniques are notdesigned to operate in a manner to connect to several networks via asingle network interface and a single set of network hardware, and thusthe growth of overlay networks is deterred.

For example, while DNSSEC has been proposed for ensuring that theresults of a DNS query are legitimate, it relies on two conditions thatmany have found unacceptable. First, each of the DNS servers involved inresponding to a DNS query (which may be in different locations andadministered by different parties) must be implemented to handle DNSSEC,which makes for difficult rollout to the entire Internet. Second, theDNS client, rather than being a “stub resolver” that passes most of theresponsibility for resolving a query on to a full resolver (a DNSserver) as in normal DNS, would have to act essentially as a fullresolver. This added processing to the client because the DNS clientwould become responsible for ensuring that each of the results returnedto the DNS client is legitimate and correct by examining a digitalsignature for the result to determine whether the certifying authority(CA) that issued a certificate used in signing the result is one thatshould be trusted. Putting this responsibility onto the client computingdevice executing the DNS client has a risk of overburdening thecomputing device, which is of particular concern in less-powerfulcomputing devices such as Personal Digital Assistants (PDAs) and mobilephones. To remove this burden from the client, it may be placed on aserver or other network resource.

Further, conventional name resolution technologies are not adapted towork in situations where overlay networks may exist. In the past, acomputing device might have connected to each network by a dedicatednetwork interface, and that network interface would have been configuredby the user and/or by devices on each network for interaction with thosenetworks, including configuring the interface to support name resolutiontechnologies implemented by the networks. For example, when a computingdevice such as a laptop was connected to a wired network, a Dynamic HostConfiguration Protocol (DHCP) server on the network may have provided tothe computing device an IP address, an identifier for a gateway, and anidentifier for a DNS server, among other configuration parameters. Anycommunication through that interface that used a textual identifier,then, would be resolved through the DNS server. If a computing devicewanted to connect to a different network or use a different nameresolution technology, then a separate interface would have to beconfigured. For example, a second wired interface could be used, or awireless interface could be used.

Applicants have recognized and appreciated that, in modern networks,“overlay” networks are becoming more common. These overlay networks areconfigured to co-exist with existing networks on the same hardware, andare logical overlays on top of existing hardware networks. Each of thenetwork devices connected to the overlay network are also connected toone or more existing hardware networks, such as existing local areanetworks and/or existing wide area networks. Such overlay networks maybe implemented in any of various ways, for example, using MicrosoftDirect Access. The overlay network may therefore be considered arestricted subgroup of one or more other networks.

Using these technologies, a computing device connecting to a givenhardware network, therefore, could be connecting simultaneously tomultiple networks via a single interface, including the underlyingnetwork and one or more overlay networks. Conventional name resolutiontechnologies would not be able to support such networks, as the type ofname resolution protocol or the network resources with which a computingdevice should communicate for name resolution (e.g., which DNS servers)may be different for the overlay network(s) in comparison to the nameresolution technology of the underlying network. Further, because somenetworks may keep private some information on how to access someresources on that network—for example, the location/identification of acertain secured server or other network resource—to keep thatinformation from being given to potential attackers, a specific serveror other resource may be the only possible source of the desired resultof a name resolution query. Alternatively, a particular network resourcemay have an identifier that is unknown outside of the overlay network,or that is a duplicate of a textual identifier of another resourceoutside of the overlay network, and a specific server or other resourcemay be the only possible source of the desired result of a nameresolution query for the particular network resource. Accordingly, itmay be necessary for the computing device to contact a specific serveror other resource during a name resolution process, which may bedifferent for communication on the overlay network(s) than theunderlying hardware networks, even if those overlay networks use thesame name resolution technology. Because of this, it may be necessaryfor one network interface of a computing device to maintain multipleaddresses of DNS servers for each of multiple overlay networks so thatthe computing device can communicate with each of the overlay networks.This is not possible with conventional computing devices, networkingtechniques, and name resolution technologies.

Described herein are principles for securing name resolutiontechnologies and for ensuring that name resolution technologies canfunction in modern networks that have a plurality of overlay networksaccessible via a single network interface. In some implementations, auser, such as an end user and/or an administrator, may compile a set ofresolution parameters that may be applied to a computing device for useby one, some, or all of the network interfaces of the computing devicefor resolving names using name resolution technologies of networksaccessible by the interface(s). These resolution parameters may thengovern name resolution processes performed by the interface(s). Forexample, in some such implementations, the resolution parameters mayspecify DNSSEC parameters and/or parameters regarding Direct Access,though it should be appreciated that other name resolution technologiesand other types of networks and security techniques may be used. Theseresolution parameters may be stored in any manner, for example, in atable of rules that may be examined by a name resolution module and usedto assemble a name resolution query.

The resolution parameters may comprise any suitable information on howto carry out a name resolution process. Further, the specific parametersused may depend on the type of network for which name resolution issought. For example, for a network on which DNSSEC is used as a nameresolution technology, the parameters may include security parameterssuch as to which domains the resolution parameters apply, whether toconfirm that the server validated a response, whether encryption shouldbe used in communicating with the server, what type of encryption shouldbe used, what certifying authority or authorities should be trusted tosign results, and which DNS server(s) should be queried for results. Asanother example, for an overlay network, such as one implemented usingDirect Access, resolution parameters such as to which networks/domainsthe resolution parameters apply, which DNS server(s) should be queriedfor results, whether encryption should be used, what type of encryptionshould be used, what certifying authorities should be trusted to signresults, and what proxy server(s) should be used when communicating withan overlay network may be implemented. Any suitable resolutionparameters may be used depending on the networks and name resolutiontechniques with which they may be implemented.

As used herein, a name resolution process may be any suitable techniquefor determining a numeric identifier corresponding to a textualidentifier, or vice versa, in accordance with any suitable nameresolution protocol. In the examples outlined below, the Domain NameService (DNS) protocol may be used as an example of a name resolutionprotocol and name resolution processes may be described as conforming tothe DNS protocol. It should be appreciated, however, that DNS is merelyone example of a name resolution protocol with which techniquesoperating according to the principles described herein may operate, andthat any suitable name resolution protocol may be implemented, asembodiments of the invention are not limited in this respect.

It should be appreciated that while many of the examples herein aredescribed in the context of determining a numeric identifier thatcorresponds to an input textual identifier, in some embodiments nameresolution processes may be implemented that additionally oralternatively take as input a numeric identifier and determine acorresponding textual identifier. Further, it should be appreciated thatwhile the examples outlined below describe techniques that operate witha one-to-one correspondence of textual identifiers and numericidentifiers-determining a single numeric identifier that corresponds toa single textual identifier, for example-this is only one exemplaryembodiment, and that in some implementations a textual identifier mayhave a plurality of corresponding numeric identifiers and a numericidentifier may have a plurality of corresponding textual identifiers.

The techniques described herein may be implemented in of variouscomputing systems, examples of which are described in greater detailbelow. Such systems generally involve the use of suitably-configuredcomputing devices implementing a number of functional modules, eachproviding one or more operations needed to complete execution of suchtechniques. Each functional module may be implemented in its own way;all need not be implemented the same way. As used herein, a functionalmodule is a structural component of a system that performs anoperational role. The operational role may be a portion of or an entiresoftware element. For example, a functional module may perform afunction of a process, a discrete process, or any other suitable unit ofprocessing. A functional module may comprise computer-executableinstructions, and may be encoded on a computer storage medium.Additionally, such computer-executable instructions may be written usingany of a number of suitable programming languages and/or programming orscripting tools, and also may be compiled as executable machine languagecode or intermediate code that is executed on a framework or virtualmachine. Functional modules may be executed in parallel or serially, asappropriate, and may pass information between one another using a sharedmemory on the computer on which they are executing, using a messagepassing protocol or in any other suitable way. Exemplary functionalmodules are described below carrying out one or more tasks, though itshould be appreciated that the functional modules and division of tasksdescribed is merely illustrative of the type of functional modules thatmay implement the exemplary techniques described herein, and that theinvention is not limited to being implemented in any specific number,division, or type of functional modules. In some implementations, allfunctionality may be implemented in a single functional module. Further,the functional modules are discussed below, for clarity, as allexecuting on one or two computing devices, though it should beappreciated that, in some implementations, the functional modules may beimplemented on many separate computing devices adapted to communicatewith one another. For example, one computing device may be adapted toexecute an input module to receive a first identifier, such as a textualidentifier, and communicate with a name resolution module on a secondcomputing device to perform a name resolution process to determine anumeric identifier corresponding to the textual identifier.

In one exemplary implementation of the principles described herein, asoftware application executing on a computing device may accept from auser input of a textual identifier of a desired network resource towhich the software application would like to establish a connection. Forexample, the software application may be a web browser, the textualidentifier may be a domain name of a web site, and the network resourcemay be a web server hosting the web site. To open a connection to thedesired network resource, the software application or a connectionmodule will use a numeric identifier for the network resource, and so aname resolution module (also referred to herein as a “resolutionmodule”) may convert the textual identifier to a numeric identifieracting as a network address, such as an IP address in IPv4 or IPv6format.

The textual identifier for the network resource will therefore be passedto a name resolution module adapted to perform a name resolution processto obtain the numeric identifier, which the name resolution module maythen return to the software application. Prior to performing the nameresolution process, however, the resolution module may review acollection of sets of resolution parameters to determine which, if any,of the sets of resolution parameters apply to the name resolutionprocess to be performed. This collection may be stored in any suitablemanner, including in a computer storage medium, such as a memory, in anysuitable format. To review the collection to determine which of the setsof parameters apply, the resolution module may retrieve some or all ofthe collection from memory and perform a comparison process of any kind,including, for example, comparing an input identifier to a parameter ofsome or all of the sets indicating to which network resources aparticular set of resolution parameters applies.

Each set of resolution parameters in the collection may apply to one ormore network resources, and may govern the manner in which a nameresolution process determines identifiers for the network resources towhich they apply. These resolution parameters may contain any suitableparameters that may affect how the name resolution process is carriedout, including any of the exemplary parameters discussed above. Forexample, each set of name resolution parameters may specify a particularresolution resource with which the resolution module should communicateto determine the numeric identifier, such as a particular DNS server.

The review of the collection by the resolution module may be done in anysuitable manner. In one implementation, the review may comprisecomparing the textual identifier to an identifier for each of the setsof resolution parameters to determine whether there is a match betweenthe identifiers. For example, the identifier for a set of resolutionparameters may be a DNS suffix, such as “*.corp.contoso.com” such thatany textual identifier that matches the latter portion of the identifieris one to which those resolution parameters apply. Thus, if the inputtextual identifier is “webserver.corp.contoso.com,” then that set wouldbe a set of parameters associated with that identifier, and could beconsidered a set of applicable resolution parameters. Once the one ormore sets of applicable resolution parameters is determined, a nameresolution process may be carried out in accordance with the applicableresolution parameters. For example, if the parameters specify aparticular resolution resource such as a DNS server, then a connectionwill be established to that resolution resource; if the parametersspecify a level of encryption to be used, communications with a nameresolution resource will use that level of encryption.

Once the resolution module has established a connection to theresolution resource using the applicable parameters, a resolutionrequest is issued to the resolution resource over the connection, theresolution request including the textual identifier and requesting thecorresponding numeric identifier. The resolution resource may performany suitable process, including any of various processes that are knownin the art, for determining the corresponding numeric identifier, suchas by consulting information it maintains locally, or by forwarding therequest to another resolution resource according to the applicableresolution parameters. Once the resolution resource has determined thenumeric identifier, the resolution resource may perform any suitablevalidation process on the numeric identifier. For example, if theapplicable resolution parameters specify that DNSSEC should be used todetermine the numeric identifier and specify one or more particularcertificate authorities that are trusted to provide a valid certificatethat can be used to authenticate results, the resolution resource may,during the validation process, determine whether the result was signedusing a certificate issued by any of the one or more particularcertificate authorities. If so, the resolution resource may provide thenumeric identifier to the resolution module on the computing device as aresult of the resolution request. The resolution module may then confirmthat the result was generated in accordance with the applicableresolution parameters, and present the result to the softwareapplication for use in establishing a connection to the desired networkresource. If, on the other hand, the result was not signed using adesignated certificate, the result may be discarded or provided to theresolution module with an indicator that it was not signed in accordancewith the resolution parameters.

Several distinct advantages may be offered by performing a nameresolution process in accordance with the principles described herein.First, by maintaining a collection of sets of resolution parameters, aname resolution process can be parameterized with the resolutionparameters to ensure that the resolution process is secure and thatresults can be trusted. For example, while in conventional nameresolution technologies a computing device had to trust that a resultfrom a particular result was legitimate, resolution parameters from thecollection allow a resolution module within a computing device to querya specific, trusted resolution resource to obtain an identifier (numericor textual) for a desired network resource with a high confidence that aresponse is legitimate. Further, the resolution module can be morecertain that the designated resolution resource will have thecorresponding identifier that the module is seeking. In addition, byusing the collection of resolution parameters, a resolution process maybe made more secure, by specifying, for example, whether encryptionshould be used, what type of encryption should be used, and how theencryption should be validated. Further, by specifying particularresolution resources with which to communicate, the collection mayenable the resolution module on the computing device to execute fewerfunctions and be less burdensome on the computing device, as somefunctions may be pushed onto network resources, such as resolutionresources, that the collection indicates are adapted to handle. Forexample, in one exemplary DNSSEC implementation, some validationprocesses may be performed on a resolution resource in the network, suchas a DNS server. The resolution module, having the collection, will knowto contact the particular resolution resource that is capable ofperforming the DNSSEC tasks. Additionally, using the collection, aresolution module may be able to perform different name resolutionprocesses for different input identifiers, such as contacting aparticular resolution resource for a textual identifier for a networkresource in an overlay network, or using a secure communication channelfor exchanging identifiers related to particular secure networkresources.

Additional functions and advantages of these and other techniquesoperating in accordance with the principles described herein will bemore fully understood from the examples described below. The followingexamples are intended to facilitate an understanding of the inventionand to illustrate the benefits of the principles described herein, butdo not exemplify the full scope of embodiments of the invention.

Techniques operating in accordance with the principles described hereincan be implemented in any suitable computer system comprising anysuitable number and type(s) of computing devices, including any suitablenumber and type of network resources. FIG. 1 shows an illustrativecomputer system in which some exemplary implementations of theprinciples described herein may act. It should be appreciated, however,that other implementations may operate in any other suitable computersystem.

FIG. 1 shows a computer system comprising a communication network 100 towhich a user device, computing device 102, may connect. Communicationnetwork 100 may be any suitable wired and/or wireless network, includinga portion of a larger wired and/or wireless network, such as a homenetwork, a subnet of an enterprise network, the Internet, and/or others.Computing device 102 is shown as a desktop personal computer, but may beany suitable computing device such as a laptop personal computer, a PDA,a smart phone, a server, a rack-mounted computer, a networking devicesuch as a router or switch, or other computing device.

Computing device 102 is coupled to a data store 104 storing a collectionof sets of resolution parameters. The data store 104 may be encoded onany suitable computer storage medium or media, and may store informationin any suitable format. Among the information stored in data store 104are resolution parameters that can be used to govern a name resolutionprocess for determining a second identifier corresponding to an inputfirst identifier, such as determining a numeric identifier for a networkresource corresponding to an input textual identifier. As discussedabove, the resolution parameters may comprise any suitable informationthat may be used during a name resolution process. The computing device102 may be adapted to execute one or more functional modulesimplementing such a name resolution process in which the resolutionparameters are used to form a connection to network resources connectedto the communication network 100.

The collection of sets of resolution parameters stored in data store 104may be provisioned in any of various ways, including being input by auser local to computing device 102 using any suitable user interfaceand/or by being provisioned remotely by an administrator using acomputing device 106. In one example, an administrator may specify theresolution parameters at the computing device 106 and push them down tocomputing device 102 through any suitable network management technique.For example, if the communication network 100 comprises a MicrosoftWindows network available from the Microsoft Corporation of Redmond,Wash. then the administrator may use a domain controller to push theresolution parameters out using a Group Policy through the ActiveDirectory protocol. It should be appreciated, however, that this ismerely an example of a network management technique that may beimplemented, and that any suitable technique may be used according tothe resources available on the network.

The computing device 102 may use the collection of sets of resolutionparameters to perform a name resolution process for determining anidentifier (numeric or textual) for a network resource such as networkresource 108, which may be any computing device accessible via anetwork, such as a server of any kind. To do so, the computing device102, upon accepting an input of a first identifier for the networkresource 108, may consult the collection of sets of resolutionparameters stored in data store 104 to determine a set of applicableresolution parameters, and then perform a name resolution processgoverned by the set of applicable resolution parameters. During the nameresolution process, a resolution module executing on the computingdevice 102 may communicate with a name resolution resource 110 todetermine one or more identifiers for the network resource 108. Anysuitable name resolution process may be executed in accordance with theprinciples described herein, including any of the exemplary nameresolution processes described below. Such a process may include anexchange of information in any suitable manner with any suitablenetworking device as a resolution resource 110. While resolutionresource 110 is illustrated in FIG. 1 as a server, it should beappreciated that any suitable computing device may be used as aresolution resource, including multi-purpose devices such as personalcomputers and single-purpose devices such as hardware name resolutiondevices.

In some implementations, the communication network 100 may not be asingle network, but may be a hardware network having one or more overlaynetwork(s) 100A instantiated on it. The overlay network(s) 100A may beinstantiated entirely on the hardware implementing communication network100, or may operate on hardware that used in communication network 100.The overlay network(s) 100A may share networking hardware with thecommunication network 100, such as routers and switches, but there maybe some network resources, such as client and server computing devices,which are connected via hardware to communication network 100 but arenot accessible to devices which are not members of the overlaynetwork(s) 100A.

As discussed above, to communicate with network resources on the overlaynetworks, computing device 102 may have to communicate with particularresolution resources having information on the network resourcesavailable on the overlay network(s) 100A, because only these particularresolution resources have knowledge of the network resources availableon the overlay network(s) 100A. In such implementations, the collectionof sets of resolution parameters may specify one or more particularresolution resources 110A with which the computing device 102 cancommunicate during a name resolution process to obtain identifiers fornetwork resources such as network resource 108. Some or all of the setsof resolution parameters in the collection may have identifiers thatmatch network resources of the overlay network(s) 100A. When theresolution module of the computing device 102 reviews the collection todetermine the set of applicable resolution parameters, the applicableresolution parameters may indicate that identifiers for the desirednetwork resource may be retrieved from the particular resolutionresource 110A. The name resolution process executed by the computingdevice 102, therefore, when parameterized with the set of applicableresolution parameters, may communicate with the specific resolutionresource 110A to retrieve identifiers for the desired network resource108. It should be appreciated that this review and name resolutionprocess may be carried out in any suitable manner, including by any ofthe exemplary techniques described below.

Additionally, in some implementations, the applicable resolutionparameters may also specify that communications to the network resource108 should be done via a proxy server 112. In returning a secondidentifier for the network resource, then, the resolution module mayadditionally or alternatively return an identifier, such as a numeric ortextual identifier, for the proxy server 112.

As discussed above, a set of resolution parameters may include anyinformation that may be used in carrying out a name resolution process.FIGS. 2A and 2B illustrate exemplary data structures storing collectionsof sets of resolution parameters that may be used in someimplementations in accordance with the principles described herein withtwo exemplary networking technologies. Additionally, while FIGS. 2A and2B show two different collections comprising parameters relating to twodifferent technologies, it should be appreciated that in someimplementations these technologies may be implemented in the same set ofresolution parameters. Further, a collection may be implemented as anysuitable data structure, and may, in some implementations, compriseother data structures each storing information relating to one or moresets of resolution parameters. These data structures may be stored incomputer-readable storage media associated with a client computingdevice that may request name resolution. It should be appreciated thatthe data structures shown in FIGS. 2A and 2B and the parameters theystore are merely illustrative of the types of data structures andparameters that may be used, as any type or types of networkingtechnologies may be used.

FIG. 2A shows a first data structure storing a collection 200A ofresolution parameters, with two exemplary sets of resolution parametersin the collection. As shown in FIG. 2A, in some implementations thecollection of resolution parameters may be organized as a tablecomprising a plurality of fields and rows, each field specifying a typeof resolution parameter and each row specifying a set of resolutionparameters, though other implementations are possible as any suitableformat may be used. The illustrative resolution parameters shown incollection 200A include parameters relating to a DNS resolution process,such as whether to use a DNSSEC protocol and whether or how to implementother DNS security parameters. As mentioned above, however, it should beappreciated that DNS is merely exemplary of the types of name resolutiontechnologies and protocols with which the principles described hereinmay operate, as any suitable name resolution protocol may be used.

The first illustrative resolution parameter shown in FIG. 2A is the“Name” parameter 202. This parameter 202 indicates to which identifiersa set of resolution parameters apply, and thus to which networkresource(s) the set of resolution parameters may apply. The nameparameter 202 may be used by a resolution module to determine whichset(s) of resolution parameters in a collection apply to a givenresolution process for an input identifier. The name parameter 202 maystore any identifier for a network resource, including any numeric ortextual identifier. For example, a numeric identifier may be anidentifier for a specific network resource, such as IP address“1.2.3.4”, or may be an identifier for a range of network resources,such as IP address subnet “157.0.0.0/8”. Similarly, a textual identifierthat may be used for the name parameter may be an identifier for aspecific network resource, such as fully qualified domain name (FQDN)like “itweb.contoso.com.”, or may be an identifier for a range ofnetwork resources, such as a DNS suffix like “*.contoso.com” or a DNSprefix like “itweb.*”.

The next resolution parameter shown in FIG. 2A is the DNSSEC parameter204. More specifically, the exemplary “DNSSEC” parameter stores a binaryvalue (on or off) indicating that DNSSEC validation is required in aresolution process for network resources matching the name parameter.When the DNSSEC parameter 204 of a set of resolution parameters is setto on/true, a resolution resource may perform a resolution process inaccordance with the DNSSEC protocol, and may ensure that any result isvalidated in accordance with the resolution parameters. A resolutionmodule executing the resolution process may also ensure that any resultof a DNS query has been validated according to DNSSEC standards, and mayindicate in a transmitted DNS request that DNSSEC validation has beenrequested, for example by setting a “DNSSEC OK” (DO) flag in a header ofthe request.

The next parameters relate to the security of DNS exchanges betweencomputing devices, for example between a DNS client and DNS server orany other set of devices. The first parameter, “DNS over IPsec”parameter 206, may store a binary (on/off or true/false) valueindicating whether to implement IPsec on communication channels for aname resolution process. For example, if the IPsec parameter is set totrue, then a resolution module may perform encryption and/orauthentication processes when establishing a connection to a nameresolution resource. If “DNS over IPsec” for a set of resolutionparameters is set to on/true, then the resolution module may examineother parameters of the set to determine settings for the IPsecprotocol. The next two parameters, “IPsec Encryption Level” 208 and“IPsec CA” 210 are examples of such parameters. “IPsec Encryption Level”may store any value that specifies whether encryption should be used,and/or what type of encryption should be used. The “IPsec EncryptionLevel” parameter 208 may store a None/Low/Medium/High value indicatingparticular types of encryption, for example, where “Low” may indicate aTriple Data Encryption Standard (3DES) or an Advanced EncryptionStandard (AES) encryption of any size and “High” may indicate an AESencryption of 192 or 256 bits. Alternatively, the IPsec encryption levelmay store a reference to a particular encryption standard, such asAES(256). “Ipsec CA” 210 may store an identifier for one or morecertificate authorities that are trusted to issue authenticationcertificates for resolution resources. When set, during anauthentication process of IPsec, the resolution module may confirm thata resolution result is authenticated with an authentication certificateissued by one of the trusted CAs to a trusted resolution resource.Additionally, if DNSSEC is turned on, then the response from the DNSserver is checked to determine whether the Extended Key Usage (EKU)signature in the response comes from one of the trusted CAs and thusthat the DNS server that produced the result is authorized, by theresolution parameters, to perform DNSSEC validation on behalf of thecomputing device.

The last parameter shown in FIG. 2A, “DNS server(s)” 212, may store alisting of one or more DNS server(s) with which a resolution moduleshould communicate during a resolution process. When an identifier inputto a resolution module matches the name parameter for a set ofresolution parameters, then the resolution module will query any DNSserver(s) listed in the “DNS server” parameter for identifierscorresponding to the input identifier. The “DNS server(s)” parameter maystore any suitable identifier(s) for one or more DNS server(s) that maybe used to establish a connection to the DNS server(s), including anysuitable numeric and/or textual identifier(s).

FIG. 2A shows two illustrative data structures storing sets ofresolution parameters that may form the collection 200A, each setcomprising illustrative values that may be stored as the parameters ofthe collection. It should be appreciated that these sets are examples ofthe types of sets that may be used, and that any values may be used asparameters and that any number of sets of parameters may be used.

FIG. 2B shows a second exemplary data structure storing a collection200B of resolution parameters. As in FIG. 2A, the collection 200B isorganized as a table having a plurality of fields identifying parametersand a plurality of rows identifying sets of resolution parameters, butit should be appreciated that any format may be used. Further, in theexample of FIG. 2B, the resolution parameters include those that may beused in connection with a Microsoft Direct Access functionality for anoverlay network. It should be appreciated, however, that Direct Accessis merely exemplary of the type of networking technologies and protocolswith which the principles described herein may operate, as any suitablenetworking technology, including any suitable overlay networkingtechnology, may be used.

The first parameter shown in FIG. 2B is the “Name” parameter 220.Similar to the Name parameter 202 of collection 200A, this parameteridentifies the network resource(s) to which a set of resolutionparameters may apply, and may be used by a resolution module todetermine which set(s) of resolution parameters in a collection apply toa given resolution process for an input identifier. The name parameter220 may store any identifier for a network resource, including anynumeric or textual identifier, including any of the exemplary parametersdescribed above in connection with collection 200A.

The next parameters in FIG. 2B relate to Direct Access technologies. The“Zone-Specific DNS server(s)” parameter 222 may store any suitableidentifier(s) for one or more DNS servers that may be queried as part ofa name resolution process for network resources available on an overlaynetwork. As discussed above, in some overlay networks, some networkresources may not be available for general access by all computingdevices on the hardware network on which the overlay network exists, andthis restriction may be partially enforced by not distributing widelythe identifiers for the network resources. To obtain an identifier for anetwork resource on an overlay network, then, a resolution module maycontact one or a small set of resolution resources. Accordingly, if anidentifier input to a resolution module matches the name parameter 220for a set of resolution parameters, then the resolution module maycontact a DNS server specified in the “Zone-Specific DNS Server(s)”parameter 222 to obtain a corresponding identifier for the networkresource.

“Zone-Specific Proxy” 224 is the next parameter shown. This parameter224 may be used by the resolution module to indicate to a softwareapplication that the software application is contacting a networkresource on an overlay network, and to configure the softwareapplication to use a proxy server to perform its connections, or to usean identified proxy server to perform its connections. For example, ifthe software application desires a connection to a particular networkresource and the set of applicable resolution parameters indicates tothe resolution module that a proxy server should be used, then theresolution module may indicate to the software application that itshould connect to the network resource via the proxy server. The proxyserver parameter 224 of the collection 200B may store any acceptablevalue, including a numeric and/or textual identifier for a resource, anull value or other indicator that no proxy server is required, or avalue indicating that the default proxy server settings should be usedby the software application.

The next parameter, “Remote DNS over IPsec” 226 is used to indicatewhether connections to network resources on the overlay network shouldbe secured in accordance with the IPsec protocol, such as withencryption and/or authentication. As with the “DNS over IPsec” parameter206 of collection 200A, the “DNS over IPsec” parameter 226 of collection200B may take a binary value, such as on/off or true/false, indicatingwhether to use IPsec. Also similarly to collection 200A, the “Remote DNSEncryption Level” 228 may store any suitable value indicating whetherand what types of encryption should be used in securing the connectionto a resolution resource, and “IPsec CA” 230 may store any suitableidentifier for one or more certificate authorities that are trusted toissue authentication certificates for resolution resources.

As with FIG. 2A, FIG. 2B also shows two illustrative data structuresstoring sets of resolution parameters that may form the collection 200B,each set comprising illustrative values that may be stored in theparameters of the collection. It should be appreciated that these setsare examples of the types of sets that may be used, and that any valuesmay be used as parameters and that any number of sets of parameters maybe used.

Further, it should be appreciated that while the two collections 200Aand 200B are shown separately and address two different technologies-DNSsecurity/DNSSEC and Direct Access-it should be appreciated that in someimplementations a set of resolution parameters may include parametersdirected to both of these technologies and/or to any other type(s) ofnetworking technology. For example, for a given overlay network, the setof resolution parameters may instruct a resolution module to use DNSSECand other DNS security to perform name resolution for the overlaynetwork.

In some techniques operating in accordance with the principles describedherein, additional resolution parameters may be included in a collectionof resolution parameters, but which are not a part of any particular setof resolution parameters. These global parameters may also be used togovern a resolution process, but may indicate when or whether to use anyof the sets of resolution parameters, may indicate how to handlefailures in name resolution, or may be resolution parameters which applyto all sets. For example, if a computing device supports NetworkLocation Awareness (NLA) which may inform the computing device of thehardware network to which it is connected, the collection may include aglobal setting indicating whether to forego review of all or a portionof the table based in the type or identity of the network to which thedevice is connected. For example, if the NLA indicates that thecomputing device is not connected to a particular hardware network onwhich there exists an overlay network, then an “NLA Bypass” parametermay indicate to the resolution module that it should forego reviewingall sets directed to overlay networks, or may indicate that it shouldforego reviewing all sets of resolution parameters for a particularoverlay network.

Additionally or alternatively, a global parameter may indicate how toissue a resolution request if outside of a particular network. Forexample, if the computing device is outside of a particular hardwarenetwork, then a “Query Behavior” parameter may indicate that theresolution module should query for particular types of identifiers, suchas IPv6 numeric identifiers prior to IPv4 numeric identifiers, or onlyIPv6 numeric identifiers. Another global parameter may relate to how toreact if the name resolution process fails, in that a second identifieris not located in accordance with the set of applicable resolutionparameters. This “Fallback Behavior” parameter may indicate that theresolution module should attempt to use alternative name resolutiontechnologies, or may indicate that no fallback is allowed. For example,the parameter may indicate that, if a DNS process fails, a LLMNR orNetBIOS process should be attempted.

These exemplary collections and resolution parameters, and any othersuitable resolution parameters in any suitable collection, may be usedby a resolution module to execute a name resolution process inaccordance with any type or types of name resolution technologies. Anysuitable name resolution process may be implemented and governed by theset of applicable resolution parameters. FIG. 3 shows a process 300 bywhich name resolution may be carried out. It should be appreciated,however, that the process 300 is merely exemplary of the types oftechniques that may be implemented, as any suitable technique may beused.

Process 300 begins in block 302, in which a first identifier for anetwork resource is received by a functional module of a computingdevice. The first identifier may be received by and from any suitablesources, including from a user via a suitable user interface, includingby a user interface of a software application. The first identifier maybe any suitable identifier for a network resource, including anysuitable textual identifier in accordance with a name resolutionprotocol, such as a domain name of the DNS protocol. In block 304, thefirst identifier may then be passed to a name resolution module todetermine a second identifier for the network resource. This may be donefor any reason. For example, if the first identifier was a textualidentifier received by a software application, then the softwareapplication may determine that it requires as the second identifier anumeric identifier for the network resource to establish a connection tothe network resource. This use case is merely exemplary, however, as theprinciples described herein are compatible with name resolutionprocesses executed with any suitable motivation.

In block 306, the resolution module determines whether the collectionhas any set of resolution parameters which apply to the identifier forwhich name resolution is sought. This can be done in any suitablemanner. For example, the resolution module may retrieve from a datastore a collection of sets of resolution parameters, and compare thefirst identifier to the collection to determine which, if any, of thesets of resolution parameters apply to the first identifier. Thiscomparison may be done in any manner, such as by comparing the firstidentifier to the “name” parameter described above in FIGS. 2A and 2B.The resolution module may then determine that one or more of the sets ofresolution parameters apply to a name resolution process to be executedby the module, and may either use the set of applicable resolutionparameters to govern the process or determine a set of applicableresolution parameters by merging multiple sets of resolution parametersin any suitable manner.

The determining of a set of applicable resolution parameters of block306 may be carried out in any suitable manner. The exact manner in whichit is carried out may depend on the format of the collection, and on theresolution parameters chosen to be included in the collection. FIG. 4shows one example of a determination process, but it should beappreciated that the process 400 is merely illustrative of the acts thatmay be performed as part of block 306 of process 300, and that otherprocesses are possible.

Process 400 begins in block 402, at which the resolution module accessesa collection of sets of resolution parameters from a data store. Thisdata store may be local to the computing device on which the resolutionmodule is executing, as in the example of FIG. 1, or it may be availableto it via any suitable communication medium or media such as a computercommunication network. In block 404, the resolution module may retrieve,for each set of resolution parameters in the collection, a pattern formatching identifiers that indicates to which identifiers for networkresources each set applies. The pattern may be any suitable indicator ofnetwork resources, including the name parameter described above inconnection with FIGS. 2A and 2B or any other numeric or textualindicator. In block 406, the first identifier is compared to eachpattern to determine whether the set of resolution parameters thatcorresponds to a pattern applies to the first identifier. For example,if the first identifier is “webserver.corp.contoso.com” and a pattern is“*.corp.contoso.com” (where * is a wildcard character), then it may bedetermined in block 406 that that set of resolution parameters appliesto the first identifier.

In block 408, once the set(s) of applicable resolution parameters aredetermined, then the parameters of the set(s) are retrieved to be usedto govern a name resolution process. In some implementations, only asingle set of resolution parameters will be retrieved as a set ofapplicable resolution parameters, while in others multiple sets ofresolution parameters may be retrieved. If multiple sets are obtained,any suitable process may be used to determine the set of applicableresolution parameters from the multiple sets of resolution parameters.For example, the parameters may be merged to determine a set ofapplicable resolution parameters that has the highest level of security,or the lowest level of security, or any other suitable standard. Asanother example, if multiple sets of resolution parameters match, thenthe resolution module may select the set that has a pattern that matchesmost closely. For example, if the first identifier is “a.corp.ms.com”and there is a set in the collection for “corp.ms.com” and a set for“ms.com,” then the set of resolution parameters for “corp.ms.com” may beselected because it is more specific.

Returning to process 300 of FIG. 3, in block 308, once the set ofapplicable resolution parameters has been determined, the resolutionmodule may perform a name resolution process parameterized with the setof applicable resolution parameters. The resolution module may thenobtain, as the output of the resolution process, a second identifier forthe network resource. For example, if the first identifier is a textualidentifier, the second identifier may be a numeric identifier such as anIP address, or vice versa. In block 310, the resolution module may thenreturn the second identifier to the functional module that passed thefirst identifier to it in block 302, and the process ends.

The acts of blocks 308 and 310 may be carried out in any suitablemanner. FIG. 5 shows an exemplary process 500 by which a name resolutionprocess, parameterized with a set of applicable resolution parameters,may be performed. It should be appreciated, however, that the process500 is merely illustrative of the types of name resolution processesthat may be implemented, as any suitable process may be implemented inaccordance with any suitable name resolution technologies and protocols.It should also be appreciated that while process 500 is described interms of certain resolution parameters, these parameters are also onlyexemplary, as any suitable parameters may be used in accordance with theprinciples described herein.

The process 500 of FIG. 5 begins in block 502, wherein the resolutionmodule establishes a connection to a name resolution resource identifiedby the set of applicable resolution parameters, such as by a “DNSserver(s)” parameter. Depending on the type or types of name resolutiontechnologies and protocols implemented, the nature of the resolutionresource may change. In some implementations, however, the nameresolution resource may be a network resource such as a DNS server. Inblock 504, in accordance with a “DNS over IPsec” parameter that is setto on/true, the connection to the resolution resource may be secured.The security of the connection may depend on other parameters, such asan “Encryption Level” parameter identifying a type of encryption to useand/or an “IPsec CA” parameter identifying one or more certificateauthorities that can issue certificates authenticating an identity ofthe resolution resource. Techniques for securing of communicationconnections using an IPsec protocol are known in the art, and as suchwill not be discussed further herein.

In block 506, once the connection to the resolution resource is secured,the resolution module may communicate a name resolution request over thechannel. The resolution request may include any suitable data forperforming a name resolution, including the first identifier and anyparameters indicating a process that the resolution resource may need tofollow. For example, the resolution request may indicate, in accordancewith a parameter of the set of applicable resolution parameters, thatDNSSEC has been enabled for the resolution request and that theresolution resource should perform a validation process on the secondidentifier in accordance with DNSSEC prior to returning the secondidentifier. For example, the resolution request may include one or moreindicators for one or more certificate authorities that the set ofresolution parameters indicates are trusted for returning trustedresults, and the resolution resource may confirm that one of these isused.

Any suitable technique may be carried out by the resolution resource toobtain a second identifier for a network resource, in accordance withthe particular name resolution technologies selected and indicated byresolution parameters. For example, if the resolution resource is a DNSserver, then the resolution resource may examine its local cache ofidentifiers to determine whether it “knows” of a second identifiercorresponding to the first identifier received in the resolutionrequest. If a second identifier is not in its cache, then it may passthe resolution request along to another DNS server, which may then carryout the same process. This will continue until the original resolutionresource receives a response including a second identifier. If DNSSEC isindicated by the set of applicable resolution parameters to be “on,”then when the resolution resource obtains a result-either from its owncache or from another DNS server-then the resolution resource mayexamine the result to determine if it has been “signed” by a trustworthysource that can vouch for the legitimacy of the result. If the result isdetermined to be valid, then it may be returned to the resolution modulethat issued the resolution request.

In block 508, the resolution module receives the response from theresolution resource over the secured channel and, in block 510, confirmsthat the second identifier was validated by the resolution resource andwas signed by a trusted certificate authority. In block 512, based onthe determination of block 510, the resolution module determines whetherthe identifier was validated in accordance with the set of applicableresolution parameters. If the second identifier was validated, then inblock 514 the second identifier is returned the functional module thatoriginally issued the request by providing the first identifier (as inblock 302 of FIG. 3) and the process ends. If, on the other hand, theresponse was not validated in accordance with the set of applicableresolution parameters, then in block 516 the resolution module disposesof the result and returns to the functional module an error messageindicating that no result was found, and the process ends.

In some implementations, a resolution module may also maintain a localcache of identifiers for network resources. The resolution module, uponreceiving a response to a resolution request containing a secondidentifier, may store in a cache the first identifier, the secondidentifier, and the resolution parameters used to obtain the secondidentifier. Then, when the resolution module receives a new request fora second identifier, the resolution module may examine the cache todetermine if it already has stored the second identifier, and if so, mayreturn the second identifier from the cache without issuing a resolutionrequest to a resolution resource. FIG. 6 shows an exemplary process 600for performing such a resolution process using a cache. It should beappreciated, however, that the process 600 is merely illustrative, andany suitable technique may be implemented in accordance with theprinciples described herein.

The process 600 begins in block 602, wherein the resolution modulereceives a first identifier and determines a set of applicableresolution parameters. This may be done in any suitable manner,including by any of the exemplary techniques described above. In block604, the resolution module may examine a cache to determine whether thefirst identifier is listed in the cache. If, based on a decision inblock 606, the first identifier is not in the cache, then in block 608the name resolution process continues as discussed above. When thesecond identifier is obtained by the name resolution process, theninformation describing the act of obtaining may be stored in the cachein block 610. This information may comprise any of various types of dataand instructions on the obtaining process. For example, the informationmay comprise the first identifier, the second identifier, and/or the setof applicable resolution parameters used in the act of obtaining. Oncethe information is stored in the cache, the process 600 ends.

On the other hand, if the first identifier is determined in block 606 tobe in the cache, then in block 612 the set of resolution parametersstored in the cache along with the first identifier is retrieved andcompared to the set of applicable resolution parameters retrieved inblock 602. This comparison may be done to ensure that any secondidentifier returned from the cache is an identifier that was obtained inaccordance with the set of applicable resolution parameters. Forexample, the comparison of block 612 may determine that the parametersare equal, or that the parameters used to obtain the identifier storedin the cache are at least as secure as the parameters retrieved in block602. Alternatively, the comparison of block 612 may determine that thesource of the second identifier in the cache-the resolution resourcefrom which the second identifier was obtained—is the same as the sourcerequired by the set of applicable resolution parameters. As anotherexample, the cache may instead store a time the second identifier wasretrieved, and the resolution module may compare that to a last time theresolution parameters were edited to determine if the resolutionparameters are the same at the time of execution as they were at thetime the identifier in the cache was retrieved. Any suitable comparisonprocess may be carried out in block 612.

In block 614, if the parameters do not match, then a name resolutionprocess is carried out as described above, in accordance with the set ofapplicable resolution parameters, to ensure that any identifier obtainedis obtained appropriately. If, however, in block 614 it is determinedthat the parameters match, then in block 616 the second identifier isreturned from the cache to the functional module that provided the firstidentifier, and the process 600 ends.

Described above are several different techniques for determining asecond identifier based on a first identifier input to a resolutionmodule by a functional module. It should be appreciated, however, thateach of these techniques is merely illustrative of the types oftechniques that may be implemented in accordance with the principlesdescribed herein. Any type or types of methods may be implemented tocarry out a name resolution process to determine identifiers for networkresources based on name resolution technologies, whether implemented asa hardware network or an overlay network, or based on resolutionparameters that have been provisioned for a resolution module.

The resolution parameters that are provisioned for a resolution modulemay be provisioned in any suitable manner. For example, in oneimplementation, the resolution parameters may be entered locally by auser of a computer device and stored in a data store associated with thecomputing device. In another implementation, the resolution parametersmay be provided over a network when the computing device connects to thenetwork. FIG. 7 shows an example of one such latter process forproviding resolution parameters to a computing device via a network. Itshould be appreciated, however, that the process 700 of FIG. 7 is merelyillustrative, and others are possible. Further, it should be appreciatedthat while the example of FIG. 7 is described in terms of a MicrosoftWindows computer network, other networks are possible in which computingdevices are configured by the network at the time they connect to thenetwork.

The process 700 begins in block 702, wherein an administrator inputs acollection of resolution parameters into a domain controller of thenetwork. This collection of resolution parameters may be input in anysuitable manner, including as a part of a Microsoft Active DirectoryGroup Policy for the network. The Group Policy may apply to any portionof the network, including to a group of computing devices connected tothe network and/or to a group of users of the network. In block 704, thedomain controller receives the resolution parameters and stores it as aGroup Policy, then transmits the Group Policy to all members of thegroup. This transmission of block 704 may be carried out after a settime period, such as every 15 minutes, or when members of the group(either computers or users) join or sign onto the network. In block 706,a computing device executing a resolution module as described hereinreceives the Group Policy in any suitable manner and stores it in a datastore associated with the computing device. Then, in block 708, whenexecuting a name resolution process, the resolution module applies thecollection of resolution modules to the name resolution process in anysuitable manner, including any of the exemplary techniques describedabove.

Any suitable user interface may be used to input resolution parameters.For example, in some implementations a text-based command line tool maybe used to input resolution parameters. In other implementations, agraphical user interface may be used to input resolution parameters.FIG. 8 shows an example of one such graphical user interface that may beused in accordance with some of the principles described herein. Itshould be appreciated, however, that some implementations may usealternative user interfaces, as embodiments of the invention are notlimited to using any particular input technique for resolutionparameters.

The graphical user interface 800 comprises a number of controls that maybe used to input resolution parameters. A text block 802 may be used toinput a name for a network resource, including a pattern to be used tomatch names of network resources, as in the “name” parameter describedabove in connection with FIGS. 2A and 2B. The graphical user interfacemay also comprise a text block 804 to input information relating to acertificate authority that may be used for an IPsec security processand/or for signing identifiers in accordance with secure name resolutiontechnologies like DNSSEC. A series of controls 806 related to DNSSecurity may also be implemented, with controls indicating parameterssuch as whether to require DNSSEC validation, whether to use IPsec, andwhat type of encryption to use if IPsec is to be used. Another series ofcontrols 808 may also be implemented for use with overlay networks suchas Direct Access, accepting parameters such as identifiers foracceptable resolution resources such as DNS servers, an identifier for aproxy server to use, whether to use IPsec, and what type of encryptionto user if IPsec is to be implemented. The graphical user interface 800also comprises buttons 810 for creating and updating a set of resolutionparameters including the parameters input in each of the controls802-808. Other, global resolution parameters may also be input to thegraphical interface via a frame 812. Once a set of resolution parametershas been created, it may be displayed in a frame 814 at the bottom ofthe graphical user interface 800, which has a plurality of columnsaligning to types of parameters that may be input using the interface800.

When a set of parameters is created or updated using the graphical userinterface 800, the set of parameters may be stored in any suitable datastructure in any suitable format. The data structure may be stored in adata structure storing a collection of sets of resolution parameters,such as the collections 200A and 200B of FIGS. 2A and 2B. These datastructures, as discussed above, may be encoded on any suitable computerstorage medium. Accordingly, when a user inputs parameters using thegraphical user interface 800, the graphical user interface 800 mayinitiate a recording process to record the input parameters onto acomputer-readable medium in any suitable manner.

Techniques operating according to some or all of the principlesdescribed herein may be implemented in any suitable manner. For example,in some embodiments, the techniques may be implemented ascomputer-executable instructions encoded on one or morecomputer-readable storage media such as magnetic media (e.g., a harddisk drive), a Compact Disk (CD), a Digital Versatile Disk (DVD), apersistent or non-persistent solid-state memory (e.g., Flash memory,Magnetic RAM, etc.), or any other suitable storage media. The computerstorage media may be implemented as computer-readable storage media 906of FIG. 9 (i.e., as a portion of a computing device 900) or as aseparate computer storage medium. It should be appreciated that, as usedherein, a “computer-readable medium,” including “computer-readablestorage medium,” refers to tangible storage media having at least onephysical structure that may be altered in some way during a process ofrecording data thereon. For example, a magnetization state of a portionof a physical structure of a computer-readable medium may be alteredduring a recording process.

In some such embodiments, the computer-executable instructionsimplementing the techniques operating in accordance with the principlesdescribed herein may be implemented as one or more stand-alonefunctional modules (e.g., the resolution module described above). Asdescribed above, a “functional module” is a structural component of asystem which performs a specific operational role, however instantiated,which may be a portion of or an entire software element (e.g., afunction or a discrete process). Generally, functional modules includeroutines, programs, objects, components, data structures, etc. thatperform particular tasks or implement particular abstract data types.Typically the functionality of the functional modules may be combined ordistributed as desired in various embodiments. These functional modulesmay, in some implementations, be adapted to interact with other,unrelated functional modules and/or processes, such as functionalmodules implementing a software program application or implementing anoperating system for a computing device, or, in other implementations,the modules may be adapted to interact with other functional moduleswhich, together with the modules, form an overall system such as anoperating system such as the Microsoft Windows operating system,available from the Microsoft Corporation of Redmond, Wash. (i.e., thefunctional modules may be implemented as a portion of or outside of anoperating system). It should also be appreciated that, in someimplementations, some functional modules may be implemented separatelyfrom others, or some functional modules may not be implemented.

In some, but not all implementations, the techniques may be embodied ascomputer-executable instructions that may be executed on any suitablecomputing device(s) operating in any suitable computer system, includingthe exemplary computer system of FIG. 1. For example, techniquesoperating according to some or all of the principles discussed hereinmay operate on a single multi-purpose programmable digital computerapparatus, a coordinated system of two or more multi-purpose computerapparatuses sharing processing power and jointly carrying out thetechniques described herein, a single computer apparatus or coordinatedsystem of computer apparatuses (co-located or geographicallydistributed) dedicated to executing the techniques described herein, oneor more application-specifics integrated circuits (ASICs) for carryingout the techniques described herein, one or more Field-Programmable GateArrays (FPGAs) for carrying out the techniques described herein, or anyother suitable system.

FIG. 9 illustrates one exemplary implementation of a computing device inthe form of a computing device 900 that may be used in a systemimplementing the techniques described herein, although others arepossible. Further, it should be appreciated that FIG. 9 is intendedneither to be a depiction of necessary components for a computing deviceto operate in accordance with the principles described herein, nor acomprehensive depiction.

Computing device 900 may comprise a processor 902, a network adapter904, and computer-readable storage media 906. Computing device 900 maybe, for example, a desktop or laptop personal computer, a workstation, aserver, a mainframe, a smart phone, or any other suitable computingdevice. Network adapter 904 may be any suitable hardware and/or softwareto enable the computing device 900 to communicate with any othersuitable computing device over any suitable computing network. Thecomputing network may be any suitable wired and/or wirelesscommunication medium or media for exchanging data between two or morecomputers, including the Internet. In some implementations, networkadapter 904 may be implemented as two or more separate network adapters,offering connectivity via two or more types of network interfaces (e.g.,a wired network adapter such as an Ethernet adapter and a wirelessnetwork adapter such as an IEEE 802.11g adapter). Computer-readablestorage media 906 may be any suitable tangible storage medium adapted tostore data to be processed and/or instructions to be executed byprocessor 902. Processor 902 enables processing of data and execution ofinstructions. The data and instructions may be stored on thecomputer-readable storage media 906 and may, for example, enablecommunication between components of the computing device 900.

The data and instructions stored on computer-readable storage media 906may comprise computer-executable instructions implementing techniqueswhich operate according to the principles described herein. In theexample of FIG. 9, computer-readable storage media 906 storescomputer-executable instructions implementing various modules andstoring various information as described above. Computer-readablestorage media 906 stores data and instructions relating to one or moreapplication programs 908 that may execute on the computing device. Theseapplication programs may include those that may accept a firstidentifier for a network resource and seek to obtain a second identifierfor the network resource. The computer-readable storage media 906 alsoincludes a name resolution module 910 for determining a secondidentifier for a network resource based on a first identifier accordingto any suitable technique, including any of the exemplary techniquesdescribed above. Computer-readable storage media 906 also comprises acollection 912 of sets of resolution parameters. As discussed above,this collection may be organized and formatted in any suitable manner,and the resolution parameters may include any suitable parameters forgoverning execution of a name resolution process of the name resolutionmodule 910. In one implementation, for example, the collection 912 maybe implemented on the computer-readable storage media 906 as a part of aRegistry of a Microsoft Windows operating system. Computer-readablestorage media 906 may additionally comprise a cache 914 of identifiersthat have been retrieved by the name resolution module 910. The cachemay be organized in any suitable manner and may contain any suitabletype or types of information, including sets of first and secondidentifiers for network resources, sets of resolution parameters used toobtain identifiers, times that identifiers were obtained, and/or anyother type or types of information.

Lastly, in the example of FIG. 9, computer-readable storage media 906may comprise a set of Application Programming Interface (API) functionsto affect the collection of sets of resolution parameters and todetermine the contents of the collection. For example, the API mayimplement a GetProxyInfo function to determine a proxy that may be usedfor contacting a particular network resource, taking as input anidentifier for the network resource. The GetProxyInfo function may usethe input identifier for the resource to locate a set or sets ofresolution parameters in the collection that apply to the networkresource, then may return an identifier for a proxy server if any of thesets of resolution parameters indicate that a proxy server is to beused. A GetPolicyTableInfo API function may also be implemented toreturn the contents of a collection (i.e., the sets of resolutionparameters). Further, a GetEffectivePolicy API function could returnsome (or all) of the sets of resolution parameters in the collection,depending on which are not applicable to the given situation. Forexample, if some of the sets of resolution parameters apply to aparticular network and the computing device 900 is not connected to thatnetwork, then those sets may not be returned as part of the output ofthe GetEffectivePolicy function. Additionally, a GetAddrInfo or DnsQueryfunction may be implemented that will take as input a first identifierand execute a name resolution process governed by the collection of setsof resolution parameters to determine a second identifier, and returnthe second identifier. It should be appreciated that these API functionsare merely exemplary of the type of API functions that may beimplemented, as embodiments of the invention are not limited in thisrespect.

The modules implementing techniques operating according to theprinciples described herein may interact in any suitable manner. FIG. 10shows one exemplary arrangement of modules that may be implemented inaccordance with some of the principles described herein.

In the example of FIG. 10, an application program 1000 interacts withone or both of a connection module 1002 and a name resolution module1004 to determine a second identifier corresponding to a firstidentifier. For example, the application program 1000 may directly querythe name resolution module 1004, or the application program 1000 mayattempt to open a connection to a network resource using the connectionmodule 1002 using a first identifier, and the connection module mayrequest a second identifier from the name resolution module to use inopening the connection. The name resolution module 1004, in attemptingto obtain a second identifier, may use a collection of sets ofresolution parameters 1006 as discussed above, and may further use acache 1008 of identifiers as discussed above. Lastly, in using thecollection of resolution parameters 1006 to obtain a second identifier,the name resolution module 1004 may also use a variety of connectiontechnologies 1010, including a connection module 1012 to open aconnection to a resolution resource, and authentication and/orencryption modules 1014 and 1016 to perform any security processes thatmay be dictated by the resolution parameters in the collection.

Having thus described several aspects of at least one embodiment of thisinvention, it is to be appreciated that various alterations,modifications, and improvements will readily occur to those skilled inthe art.

Such alterations, modifications, and improvements are intended to bepart of this disclosure, and are intended to be within the spirit andscope of the invention. Accordingly, the foregoing description anddrawings are by way of example only.

Various aspects of the present invention may be used alone, incombination, or in a variety of arrangements not specifically discussedin the embodiments described in the foregoing and is therefore notlimited in its application to the details and arrangement of componentsset forth in the foregoing description or illustrated in the drawings.For example, aspects described in one embodiment may be combined in anymanner with aspects described in other embodiments.

Also, the invention may be embodied as a method, of which an example hasbeen provided. The acts performed as part of the method may be orderedin any suitable way. Accordingly, embodiments may be constructed inwhich acts are performed in an order different than illustrated, whichmay include performing some acts simultaneously, even though shown assequential acts in illustrative embodiments.

Use of ordinal terms such as “first,” “second,” “third,” etc., in theclaims to modify a claim element does not by itself connote anypriority, precedence, or order of one claim element over another or thetemporal order in which acts of a method are performed, but are usedmerely as labels to distinguish one claim element having a certain namefrom another element having a same name (but for use of the ordinalterm) to distinguish the claim elements.

Also, the phraseology and terminology used herein is for the purpose ofdescription and should not be regarded as limiting. The use of“including,” “comprising,” “having,” “containing,” “involving,” andvariations thereof herein, is meant to encompass the items listedthereafter and equivalents thereof as well as additional items.

1. A method comprising: (A) accepting as input a first identifier for anetwork resource; (B) consulting a collection of sets of resolutionparameters to determine a set of applicable resolution parameters thatapply to the first identifier; and (C) obtaining a second identifier forthe network resource, the obtaining comprising conducting a nameresolution process to determine the second identifier for the networkresource based on the first identifier, wherein the name resolutionprocess is governed by the set of applicable resolution parameters. 2.The method of claim 1, wherein the set of applicable resolutionparameters governs communication between a host computing deviceexecuting the method and a remote computing device to which the hostcomputing device issues a name resolution request.
 3. The method ofclaim 2, wherein the obtaining further comprises: (C1) transmitting tothe remote computing device the name resolution request in accordancewith the set of applicable resolution parameters.
 4. The method of claim1, wherein consulting the collection of sets of resolution parameterscomprises: (B1) comparing the first identifier of the network resourceto patterns associated with each of the sets of resolution parameters todetermine whether each set of resolution parameters applies to the firstidentifier.
 5. The method of claim 1, wherein the first identifier is atextual identifier for the network resource and the second identifier isa numeric identifier for the network resource.
 6. The method of claim 1,wherein the resolution parameters comprise information on one or moretypes of encryption to be used.
 7. The method of claim 1, wherein theresolution parameters comprise identifiers for one or more networkresources with which information is to be exchanged during the nameresolution process.
 8. The method of claim 1, wherein the nameresolution process is a process in accordance with the Domain NameSystem (DNS) protocol.
 9. The method of claim 8, wherein the nameresolution process is a process in accordance with the DNS SecurityExtensions (DNSSEC) protocol.
 10. The method of claim 8, wherein thename resolution process is adapted to function with an overlay networkimplemented using Direct Access.
 11. At least one computer-readablestorage medium on which is encoded computer-executable instructionsthat, when executed, cause a computer to perform a method, the methodcomprising: (A) accepting as input from an application program a domainname for a network resource accessible via a network; (B) determining aset of applicable resolution parameters from a collection of sets ofresolution parameters; (C) establishing a connection to a Domain NameService (DNS) server on the network according to the set of applicableresolution parameters; (D) communicating a DNS query to the DNS serveraccording to the set of applicable resolution parameters; (E) receivingfrom the DNS server a response comprising a numeric identifier for thenetwork resource; and (F) providing the numeric identifier to theapplication program.
 12. The at least one computer-readable storagemedium of claim 11, wherein the act of establishing a connection to aDNS server comprises establishing a connection to a DNS serveridentified by the set of applicable resolution parameters.
 13. The atleast one computer-readable storage medium of claim 11, wherein themethod further comprises: confirming that the response was generated inaccordance with the resolution parameters; and if the response was notgenerated in accordance with the resolution parameters, not providingthe numeric identifier to the application program.
 14. The at least onecomputer-readable storage medium of claim 11, wherein confirming thatthe response was generated in accordance with the resolution parameterscomprises determining whether the response was validated in accordancewith the DNS Security Extensions (DNSSEC) protocol.
 15. The at least onecomputer-readable storage medium of claim 14, wherein communicating aDNS query to the DNS server according to the set of applicableresolution parameters comprises encrypting communications according toencryption techniques identified by the set of applicable resolutionparameters.
 16. The at least one computer-readable storage medium ofclaim 11, wherein the method further comprises: storing the response andthe set of applicable resolution parameters used to retrieve theresponse in a cache; and upon receiving the domain name as a secondinput as part of a second request for the numeric identifier,determining whether the set of applicable resolution parameters used toretrieve the response is sufficient for providing the response to thesecond request, and if so, providing the response from the cache. 17.The at least one computer-readable storage medium of claim 11, whereindetermining the set of applicable resolution parameters from thecollection of sets of resolution parameters comprises comparing thedomain name of the network resource to patterns associated with each ofthe sets of resolution parameters to determine whether the set ofresolution parameters applies to the domain name.
 18. The at least onecomputer-readable storage medium of claim 11, wherein the act (F)further comprises: (F1) providing an identifier for a proxy server forthe network resource to the application program.
 19. An apparatuscomprising: at least one processor; and at least one tangiblecomputer-readable storage medium on which is encoded a data structurecomprising information relating to a set of resolution parameters, thedata structure being stored in a manner usable by a name resolutionsoftware component to govern a name resolution process, the datastructure comprising: a first location in which information is to berecorded defining a set of one or more identifiers for network resourcesto which the resolution parameters apply; a second location in whichinformation is to be recorded defining a type of security to beimplemented on a communication channel over which the name resolutionprocess is to exchange information; a third location in whichinformation is to be recorded defining at least one trusted certifyingauthority; and a fourth location in which information is to be recordeddefining at least one network resource with which the communicationchannel is to be established, wherein the at least one tangiblecomputer-readable storage medium comprises a plurality of instances ofthe data structure, each instance of the data structure being associatedwith a particular set of resolution parameters, and wherein the at leastone processor is adapted to execute the name resolution softwarecomponent, the name resolution software component being adapted toperform the name resolution process in accordance with at least one setof applicable resolution parameters, the name resolution softwarecomponent reading at least some of the plurality of data structureinstances encoded on the at least one tangible computer-readable storagemedium to determine one or more sets of applicable resolutionparameters.
 20. The apparatus of claim 19, wherein the processor isfurther adapted to exchange information with at least one remote networkresource in accordance with the at least one set of applicableresolution parameters.